#VU7343 Improper input validation in Cisco Ultra Services Framework - CVE-2017-6708

Cybersecurity Help s.r.o.

Published: 2017-07-06

Vulnerability identifier: #VU7343

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-6708

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cisco Ultra Services Framework
Server applications / Frameworks for developing and running applications

Vendor: Cisco Systems, Inc

Description
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information or execute arbitrary code.

The vulnerability exists in the symbolic link (symlink) creation functionality of the AutoVNF tool for the Cisco Ultra Services Framework due to improper input validation. A remote attacker can supply specially crafted data used to create symbolic links and read any sensitive file or execute malicious code on an affected system.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
The vulnerability is addressed in the following versions:
5.0.3, 5.1.

Vulnerable software versions

Cisco Ultra Services Framework: All versions

External links
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-usf1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Cisco Ultra Services Framework